How virtual MFA tokens work

Introduction

Chris Birchall

How virtual MFA tokens work

How virtual MFA tokens work

Almost every day I open Authy on my phone and provide a one-time MFA (multi-factor authentication) token in order to login to AWS. I also use MFA for a number of different sites including Google, GitHub, Slack, Dropbox and Twitter. If you are not using MFA to protect access to your sensitive data, you should be!

But how does this stuff work? When you snap a QR code with your phone, what is actually happening? Let's find out...

Here's a QR code generated by AWS:

(Before you try and hack me, I should point out that this code is for a temporary dummy user in a non-production AWS account!)

If we decode this QR code, we see that it is actually a URI containing a bunch of metadata and a secret:

totp - this is the hashing algorithm to use. TOTP stands for Time-based One-Time Password, and it calculates hashes based on the current timestamp and a shared secret. It's a variant of the HOTP (HMAC-based One-time Password) algorithm.

secret=2HZ... - this is the shared secret required by the hashing algorithm, encoded as a base-32 string

Generating a one-time token

The algorithm to generate a token looks like this, assuming the client and server agree to use the default values for all the algorithm's parameters:

The resulting hash is 20 bytes long, so we don't really want to type the whole thing in. We take a 4-byte chunk of it, treat it as an integer, take the value modulo 106 and zero-pad it if necessary, to give us the 6-digit MFA token that we know and love.